Overview

This article outlines the permissions necessary for backup and restore using Microsoft 365 Backup Storage.

Druva requires App-only access, which permits Azure AD applications to execute actions with admin-driven consent.

Permissions required for the Microsoft 365 Backup Storage application:

Permissions	Type	Purpose
`Sites.Read.All`	Application	Display Text - Read items in all site collections Description - Site Listing and Search site for protection or backup.
`User.Read.All`	Application	Display Text - Read all users' full profiles Description - Allows the application to read user profiles without a signed-in user.
`BackupRestore-Configuration.Read.All`	Application	Display Text - Read all backup configuration policies Description - Allows the application to read all backup configurations and lists of Microsoft 365 service resources to be backed up without a signed-in user.
`BackupRestore-Configuration.ReadWrite.All`	Application	Display Text - Read and edit all backup configuration policies Description - Allows the application to read and update the backup configuration and list of Microsoft 365 service resources to be backed up without a signed-in user.
`BackupRestore-Restore.Read.All`	Application	Display Text - Read all restore sessions Description - Allows the application to read all restore sessions without a signed-in user.
`BackupRestore-Monitor.Read.All`		Display Text - Read all monitoring, quota, and billing information for your tenant Description - Allows the application to monitor all backup and restore jobs, view quota usage and billing details, without a signed-in user.
`BackupRestore-Restore.ReadWrite.All`	Application	Display Text - Read restore all sessions and start restore sessions from backups. Description - Allows the application to search all backup snapshots for Microsoft 365 resources and restore Microsoft 365 resources from a backed up snapshot, without a signed-in user.
`BackupRestore-Search.Read.All`	Application	Display Text - Search for metadata properties in all backup snapshots Description - Allows the application to search all backup snapshots for Microsoft 365 resources without a signed-in user.
`BackupRestore-Control.ReadWrite.All`	Application	Display Text - Update or read the status of the M365 backup service Description - Allows the application to update or read the status of the Microsoft 365 backup service (enable/disable) without signed in user
`BackupRestore-Control.ReadWrite.All`	Delegated	Display Text - Update or read the status of the M365 backup service Description - Allows the application to update or read the status of Microsoft 365 backup service (enable/disable), on your behalf.

Microsoft 365 Permissions for Druva App

Protect Exchange Online using Microsoft 365 Backup Storage

Protect OneDrive using Microsoft 365 Backup Storage

Protect Microsoft 365 Data using Microsoft 365 Backup Storage

Microsoft 365 Backup Storage Overview